Solved

ISA 2006 Client\User Certificates Issue...

Posted on 2006-11-17
11
806 Views
Last Modified: 2013-11-16
I was wondering if the statement below is true for ISA 2006, as it was in ISA 2000 and I believe ISA 2004?

 

If you’ve tried to allow users to authenticate with the Incoming Web Requests listener and the internal network Web server, you’ve realized it doesn’t work. There is only one way to get authentication to work on both the Incoming Web Requests listener and the Web server on the internal network. The only scenario that allows authentication at both the ISA Server and the internal network Web server is when the Incoming Web Requests listener uses client certificate authentication and the internal network Web server uses Digest, Integrated or Basic authentication.

 

Is this the only scenario that requires the use of client\user certificate authentication for any version of ISA?

 

 

   It looks like in ISA 2006 as long as we have SSL bridging on we can secure communications via SSL from the ISA server to the web server too, as well as or in addition to configuring a secure SSL connection from the web-client to the ISA server itself via the listener. Seems like in ISA 2006 you don’t need dual authentication, both at the ISA and at the web server to have full end to end SSL.

 

Is that now true in ISA 2006?

 

Or has this always been possible in all versions of ISA?

 

More to the point does it hold on all versions that for dual authentication you must use client certificates?

 

Meaning is it the only time client\user certs are required?

 

But if you don’t want\need dual authentication, meaning just authenticating at the ISA, can still have end to end SSL on ISA 2006 without the use of client certificates?

 

{is it also true for ISA 2004 and 2000?}

 

Also in the scenario where no client\user certificates are involved does ISA never then need to communicate with a CA to verify certificates via a CRL to maintain\ employ end to end SSL?

 

 Because at this point our certs on ISA show as invalid or expired, as we are not allowing any web traffic from ISA out.

 

I know there is a CRL http rule out, but not sure if we need to allow that with web clients just authenticating at ISA and not the web server too? i.e. dual auths

 

In the scenario where authentication takes place only at the ISA listener does it matter that we have not allowed access to the web to access CRL data?

 

 As I know that a cert is considered invalid if not verified against a CRL, {why our ISA certs have a red X, i.e. show as invalid\expired}but it none the less does match the certs on the web server, which themselves unlike the ISA server do not have a red x on the cert, as it can verify the cert because it has web access.

 

Do we need to allow a one time {or continuous} access to a\the CRL site to get the red x off the ISA certs if were only authenticating web clients once via the ISA listener for end to end SSL?

 

Paul…

 

0
Comment
Question by:inuic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967801
First, please do not leave all that white space between your comments, makes it a nightmare to read through.

In 2004 and 2006 you had the option of either tunneling SSL or bridging it. many people prefer tunnelling whereby you only have the cert on the web server and ISA tunnels the traffic directly through to the web server. Upside, cert only on the web server, downside is that ISA cannot filter the traffic as it cannot decrypt (see inside) the ssl tunnel and so cannot see what the traffic is to accept/reject it.  ie its just a conduit.

the bridging option comes in a number of flavours.

SSL outside to ISA (needs cert on ISA) --- bridge SSl from ISA to web server (needs another cert on web server)
SSL outside to ISA (needs cert on ISA) --- bridge http from ISA to web server (no cert on web server)
http outside to ISA (no cert on ISA)      --- bridge http from ISA to web server )no cert on ISA)
http outside to ISA (no cert on ISA)      --- bridge SSL from ISA to Web server (needs cert on web server)

View the certificate, red x normally means it has failed one of the criteria. Fully Qualified Domain Name (FQDN), out of date, non-authorised certificater etc. Have you imported the certs into the certificate root on ISA also?

Keith

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967818
Also, who is your certificating body?

you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list.
0
 

Author Comment

by:inuic
ID: 17968014
My main question is about Client\User Certificates, and if they are needed\required for full end to end SSL? It looks like you can have end to end SSL and just use bridging and not employing the extra step of user certificates. Is this just tunneling? In order to have statefull inspection of whats in the SSL tunnel do you need to use user\client certificates? If I dont require authentication at both the ISA server and the Web server and just at ISA and have SSL from the client to ISA, and bridge SSL to the Web server from ISA, is that just SSL tunneling? i.e. not statefull inspection of the data in the SSL tunnel?

Which scenarios allow statefull inspections of whats in the SSL tunnel, when using end to end SSL? Does it require client\user certificates? i.e. dual authentication at both the ISA and web server?

If I just requre authentication at ISA and still brigde SSL to the web server is that just SSL Tunneling?

Im not sure my question\s were really answered by the previous comments. But thanks for the input.

Paul...
P.S. I left white space for room to answer my individual questions, as there were many...
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968079
OK, one at a time here..... :)

To perform SPI through ISA you need to bridge, period. Tunnelling means that ISA cannot see what is in the tunnel as its encrypted and acts simply as a carrier for the traffic, not a monitor. ie the client makes the ssl tunnel from their browser directly to the end web server. SSL tunnelling on ISA means it acts like a railway tunnel, the traffic simply passes through as in a conduit.

Bridging means that ISA terminates the connection from the client regardless of whether it is ssl or http. It then opens its own connection between itself and the web server. In this condition it can check the traffic as it has decoded what has come in (and identified it) before repackaging it again for transit to the web server.

Most organistaions use SSL between the ISA and the outside client and then use http (bridge) to the internal web server. Saves on certificates and is the simplest method with the exception of tunneling straight through.

When you click on your certificate and choose the view option, what does it say has failed?
0
 

Author Comment

by:inuic
ID: 17968089
P.S.

   I have imported the certs into the certificate root on ISA. But we allow no web traffic out, hence the CRL site can not be contacted to verify the certs on ISA. Is that why they have a red x? The same certs on the web server have no red x. I imported my certs to ISA from the web server. To verify the certs on ISA {remove red x} do I need to allow ISA access to the CRL site? We are using verisign as our CA.

Paul...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968109
Sorry, have I been at a tangent here? Yes, ISA will need to contact the site; by default ISA can not talk to much. If you do not want ISA to have general web access then use the option I mentioned above to give limited access.

<<< you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list. >>>
0
 

Author Comment

by:inuic
ID: 17968121
How do you configure just SSL tunneling, that is end to end SSL with no bridging then? I know how to do bridging it seems, but still am confused as to when a user\client certificate comes into play? This is more complex then I had hoped...

Paul
0
 

Author Comment

by:inuic
ID: 17968159
We were able to access the internal web server over SSL even though the certs in ISA have the red x on them... Is that one way its allowed to work. Is it that if I want to use client\user certificates in conjunction to what I am already doing I need to get rid of the red x's on my certs in ISA?

Paul
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 17968221
Maybe it is simpler if I give you some links to check through. I am doing a couple of ISA2000 questions at the moment so cannot get to the screens i need to give you the exact option.

here is the difference between tunnelling and bridging
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

These are the links I post generally to people to explain the process, it may give you the answer you are looking for.
http://support.microsoft.com/default.aspx?kbid=837834&product=isas2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/help/FW_SecureWebPub.mspx?mfr=true
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I know you are on 2006 but the process is the same

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot upgrade to version 2.2.6 of PFSense firewall 4 223
Cisco asax sourcefire Ips 7 72
VPN running on Windows 2008 Server 11 93
Firewall blocking images 4 107
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question